Last Updated on April 2, 2020

The SaaS model depends on trust. As a SaaS provider, are potential customers confident they can trust you with their data?

Despite massive and growing investments in cloud applications and services, a McAfee study on the state of cloud adoption and security found only 23% of organizations completely trust public clouds to keep their data secure. And 29% of businesses still distrust public clouds altogether.

It follows if you can inspire trust and confidence in your SaaS, you have a major competitive advantage. Arguably the best way to build that trust is to demonstrate you’ve earned it—through independent, third-party accreditation of your security controls.

But which of the many possible information security accreditations, certifications and frameworks should you choose? This can be a challenging question to answer, especially if you face multiple compliance demands (e.g., HIPAA, PCI and HITRUST).

Cyber Security Accreditations for SaaS Companies

Based on extensive experience in this area, here are our top 5 picks (you will note we threw in a bonus pick !) for SaaS providers serving various industries.

1) ISO 27001

The internationally recognized ISO 27001 standard is relevant to any organization across industries, but is especially relevant to SaaS providers, as it is widely considered “the gold standard” of third party validation of your security posture. To achieve ISO 27001 certification, you must put in place a comprehensive Information Security Management System (ISMS) that provides the logical construct for you to consistently manage information related risk in accordance with your risk appetite, client contractual obligations, and relevant laws and regulations.

An ISO 27001 certification includes a formal certification audit process with annual surveillance audits to ensure that your information security posture evolves as your business does. This makes it the strongest and most comprehensive single form of independent attestation for any information security program, including SaaS providers.

2) SOC 2

SOC 2 is also a widely leveraged and well-respected information security/audit framework that provides your clients with a high degree of assurance as to the security of your SAAS solution.  SOC2 is an AICPA issued framework that includes up to five trust principles (Security, Availability, Processing Integrity, Confidentiality, Privacy) that you can be audited against.

Like ISO 27001 hinges on a third-party audit, a SOC 2 report can reference a “point in time” (Type I) or “period of time” (Type II) evaluation of anywhere from one to all five of the trust principles.

If you are asking yourself the all too common question; “ISO 27001, SOC2, or both?”.  You may want to listen to this vCISO podcast on the topic.

3) OWASP ASVS

How can prospects know if your SaaS application is secure? The OWASP Application Security Verification Standard (ASVS) gives SaaS providers an open, standardized framework for testing and hardening web application technical security controls.

Where ISO 27001, SOC 2 or CSA STAR focus on security holistically, the OWASP ASVS focuses on the security of your application at a very detailed level. Specifically geared towards establishing a verifiable level of confidence in the security of an application (including web, API, mobile, etc.) it defines a range of coverages and levels of rigor suitable for any SaaS scenario. While the ASVS does not offer a formal “certification” of applications per se, a report that verifies your “conformance” with OWASP ASVS Level 1, 2 or 3  provides a high degree of assurance to your clients that your application is highly secure. Level 2 verification goes well beyond commonplace, automated testing like is typically done with an OWASP Top 10 aligned assessment. ASVS Level 2 requires at least some access to developers, documentation, code and the running application. Level 3 requires an ultra-deep dive into 292 controls that a very high risk application needs to account for.

4) CSA STAR

Developed by the Cloud Security Alliance and first launched in 2013, the CSA STAR attestation is touted as “the future of cloud trust and assurance.” It focuses on “key principles of transparency, rigorous auditing, and harmonization of standards.”

CSA STAR consists of three levels of assurance:

1. Self-assessment
2. A rigorous, third-party assessment
3. A continuous monitoring program (still under development)

While comparatively new, CSA STAR is intended to augment the controls of ISO 2700, specifically to cloud use cases, by leveraging additional prescriptive guidance from the

Cloud Controls Matrix (CCM). More and more leading cloud platforms, including Microsoft Azure, are CSA STAR certified.

5) ISO 22301

Downtime and loss of service are not only extremely costly and problematic for SaaS providers and their clients, but also increase a provider’s vulnerability to security threats. ISO 22301 Business Continuity Management certification requires organizations to have a verifiably robust business continuity strategy.

ISO 22301 is based on requirements to “plan, establish, implement, operate, monitor, review, maintain and improve your infrastructure to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.” Achieving this international certification, which requires ongoing, third-party attestation, is the gold standard for SaaS organizations looking to demonstrate high availability.  Post Covid, we expect the demand for this standard to increase.